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AMENDMENTS TO THE CLAIMS 

1-4. (Canceled) 

5. (Currently amended) The method according to claim 4 claim 118, wherein the logical rules 
comprise a joining rule, and wherein the query plan comprises selecting a key responsivelv to the 
joining rule, and joining the data from two or more of the data sources using the key, and 

wherein selecting the key comprises analyzing the data so as to select one or more fields in 
the two or more of the data sources for use as the key so as to provide a desired statistical 
probability that the data will be joined correctly. 

6-7. (Canceled) 

8. (Currently amended) The method according to claim 1 claim 118, wherein the logical rules 
comprise an access rule, and wherein the query plan comprises selecting at least one of the data 
sources for use in generating the response responsively to the access rule as applied to the user who 
submitted the query. 

9-27. (Canceled) 

28. (Original) A method for data access, comprising: 

defining an ontology for application to a set of diverse data sources comprising data; 
defining data access rights with respect to the ontology; and 

controUing user access to the data responsively to the ontology of the data and the access rights 
applicable thereto. 

29. (Original) The method according to claim 28, wherein defining the ontology comprises 
specifying a user ontology, and wherein defining the data access rights comprises assigning 

a classification to a user according to the user ontology, and wherein controlling the user 
access comprises comparing the classification to the access rights applicable to the data. 
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30. (Original) The method according to claim 29, wherein the diverse data sources are 
distributed among a set of autonomous organizations comprising at least first and second 
organizations, and wherein assigning the classification comprises classifying the user according to 
an organizational affiliation of the user so as to control access by users in the first organization to 
the data sources held by the second organization. 

31. (Currently amended) The method according to any of claims 28 30 claim 28. wherein 
controlling the user access comprises receiving a query from a user to access the data in the data 
sources, determining a query plan for responding to the query by selecting one or more of the data 
sources responsively to the ontology such that the access rights permit the user to access the data in 
the one or more of the data sources, and generating a response to the query in accordance with the 
query plan. 

32-33. (Canceled) 

34. (Currently amended) The method according to claim 32 or 33 claim 119 , wherein the data 
r e sources sources are distributed among a set of autonomous organizations comprising at least first 
and second organizations, wherein the user submitting the query belongs to the first organization, 
and wherein determining the query plan comprises selecting, responsively to the performance 
characteristics, one of the data resources of the second organization for use in responding to the 
query. 

35. (Original) A method for exchange of information, comprising: 

establishing a virtual private network among a plurality of nodes, comprising at least first and 
second nodes, which are configured to communicate with one another over an underlying public 
physical network; 

defining a semantic communication model for conveying data packets among the nodes in 
the virtual private network, responsively to an ontology of the information; 

sending a data packet over the virtual private network from the first node to the second node; 

and 

filtering the data packet against the semantic communication model at the second node, so as 
to verify that the data packet is legitimate. 
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36. (Original) The method according to claim 35, wherein defining the semantic communication 
model comprises defining a closed set of semantic messages that may be carried by data packets in 
the virtual private network. 

37. (Original) The method according to claim 35, wherein the nodes are distributed among a set 
of autonomous organizations. 

38-66. (Canceled) 

67. (Original) Apparatus for data access, comprising a hub processor, which is adapted to 
receive a definition of an ontology for appUcation to a set of diverse data sources comprising data 
and a definition of data access rights with respect to the ontology, and which is adapted to control 
user access to the data responsively to the ontology of the data and the access rights applicable 
thereto. 

68. (Canceled) 

69. (Currently amended) The apparatus according to claim 68 claim 67, wherein the diverse data 
sources are distributed among a set of autonomous organizations comprising at least first and 
second organizations, and wherein the hub processor is adapted to classify the a user according to an 
organizational affiliation of the user so as to control access by users in the first organization to the 
data sources held by the second organization. 

70. (Currently amended) The apparatus according to any of claims 67 69 claim 67 , wherein the 
hub processor is adapted to receive a query fi"om a user to access the data in the data sources, to 
determine a query plan for responding to the query by selecting one or more of the data sources 
responsively to the ontology such that the access rights permit the user to access the data in the one 
or more of the data sources, and to generate a response to the query in accordance with the query 
plan. 

71-73. (Canceled) 

74. (Original) Apparatus for exchange of information, comprising a plurality of computing 
nodes, which comprise at least first and second nodes, and which are linked to communicate over a 
virtual private network running over an underlying public physical network, and which are 
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configured to exchange data packets over the virtual private network in accordance with a semantic 
communication model, which is defined responsively to an ontology of the information, wherein at 
least the second node is adapted, upon receiving a data packet over the virtual private network from 
the first node, to filter the data packet against the semantic communication model so as to verify that 
the data packet is legitimate. 

75-105. (Canceled) 

106. (Original) A computer software product, comprising a computer-readable medium in which 
program instructions are stored, which instructions, when read by a computer, cause the computer to 
receive a definition of an ontology for application to a set of diverse data sources comprising data 
and a definition of data access rights with respect to the ontology, and to control user access to the 
data responsively to the ontology of the data and the access rights applicable thereto. 

107. (Canceled) 

108. (Currently amended) The product according to claim 107 claim 106, wherein the diverse 
data sources are distributed among a set of autonomous organizations comprising at least first and 
second organizations, and wherein the instructions cause the computer to classify ^ a user 
according to an organizational affiliation of the user so as to control access by users in the first 
organization to the data sources held by the second organization. 

109-112. (Canceled) 

113. (Original) A computer software product, comprising a computer-readable medium in which 
program instructions are stored, which instructions, when read by a group of computing nodes that 
includes at least first and second nodes, linked to communicate over a physical public network, 
cause the computing nodes to communicate in a virtual private network by exchanging data packets 
over the public physical network in accordance with a semantic communication model, which is 
defined responsively to an ontology of the information, wherein the instructions cause at least the 
second node, upon receiving a data packet over the virtual private network from the first node, to 
filter the data packet against the semantic communication model so as to verify that the data packet 
is legitimate. 
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114^117. (Canceled) 

118. (New) The method according to claim 28, and comprising: 

associating with the ontology one or more logical rules applicable to semantics of the data in the 
data sources; 

receiving a query from a user regarding the data; 

determining a query plan for responding to the query by selecting one or more of the data sources 
responsively to the ontology and by identifying an operation to be applied to the data responsively 
to the applicable logical rules; and 

generating a response to the query in accordance with the query plan. 

1 19. (New) The method according to claim 28, and comprising: 

collecting information regarding a topology and performance characteristics of the data sources; 
receiving a query from a user regarding the data; 

determining a query plan responsively to the query and to the information regarding the topology 
and performance characteristics; and 

generating a response to the query in accordance with the query plan. 

120. (New) The apparatus according to claim 67, wherein the hub processor is adapted to 
associate with the ontology one or more logical rules applicable to the semantics of the data in the 
data sources, and is further adapted, upon receiving a query from a user regarding the data, to 
determine a query plan for responding to the query by selecting one or more of the data sources 
responsively to the ontology and by identifying an operation to be applied to the data responsively 
to the applicable logical rules, and to generate a response to the query in accordance with the query 
plan. 

121. (New) The apparatus according to claim 67, wherein the hub processor is adapted to collect 
information regarding a topology and performance characteristics of the data sources, and is further 
adapted, upon receiving a query from a user regarding the data, to determine a query plan 
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responsively to the query and to the information regarding the topology and performance 
characteristics, and to generate a response to the query in accordance with the query plan. 

122. (New) The product according to claim 106, wherein the instructions cause the computer to 
associate with the ontology one or more logical rules applicable to the semantics of the data in the 
data sources, and further cause the computer, upon receiving a query from a user regarding the data, 
to determine a query plan for responding to the query by selecting one or more of the data sources 
responsively to the ontology and by identifying an operation to be applied to the data responsively 
to the applicable logical rules, and to generate a response to the query in accordance with the query 
plan. 

123. (New) The product according to claim 106, wherein the instructions cause the computer to 
collect information regarding a topology and performance characteristics of the data sources, and 
further cause the computer, upon receiving a query from a user regarding the data, to determine a 
query plan responsively to the query and to the information regarding the topology and performance 
characteristics, and to generate a response to the query in accordance with the query plan. 
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